ISO 22301:2019 – Business Continuity Management Systems – By Magnus Management Consulting LLC

What is ISO 22301:2019?

This international standard, ISO 22301:2019 – Security and Resilience – Business Continuity Management Systems – Requirements, in enabling any organization, regardless of size, industry, or nature, to implement, maintain, and improve a business continuity management system, is the first of its kind. The standard specifies the structure and requirements for a BCMS, which ultimately helps an organization protect against, reduce the likelihood of, prepare for, respond to, and recover from disruptions.

As a management system standard, ISO 22301:2019 includes numerous components that might be familiar to users ISO 9001 and ISO 14001. This includes the involvement of competent persons, documented information, management review, continual improvement, and the Plan-Do-Check-Act (PCDA) cycle. In fact, PCDA concepts are present in most clauses of ISO 22301:2019.

The requirements specified in this document are generic and intended to be applicable to all organizations, or parts thereof, regardless of type, size and nature of the organization. The extent of application of these requirements depends on the organization’s operating environment and complexity.

This document is applicable to all types and sizes of organizations that:

a) implement, maintain and improve a BCMS.
b) seek to ensure conformity with stated business continuity policy.
c) need to be able to continue to deliver products and services at an acceptable predefined capacity during a disruption.
d) seek to enhance their resilience through the effective application of the BCMS.

This document can be used to assess an organization’s ability to meet its own business continuity needs and obligations.

ISO 22301:2019 What’s changed?

Headline changes, some of which are listed in the Foreword of the Standard, are as follows.

ISO 22301 now conforms to ISO’s requirements for management system standards, which have evolved since 2012 (Annex SL). (Remember ISO 22301:2012 was the first ISO MSS to follow the new Annex SL guidelines. Since then, numerous MSS have been revised or developed using this approach and the interpretation applied in ISO 22301:2012 has since evolved). This has been a significant focus for the 2019 update.
Requirements have been clarified, with no new requirements added (but see amendments below);
Discipline-specific business continuity requirements are now almost entirely within section 8;
A number of discipline-specific business continuity terms have been modified to improve clarity and reflect current thinking; and
Content in clause 8 has been reordered, duplication removed, and terminology simplified and more consistent.

ISO 22301:2019 Mandatory documents

To help you out, here’s the list of ISO 22301:2019 mandatory documents for the Business Continuity Management System – BCMS:

List of legal, regulatory and other requirements (clause 4.2.2) – lists everything you need to comply with.
Scope of the BCMS and explanation of exclusions (clause 4.3) – defines where your BCMS will be implemented.
Business continuity policy (clause 5.2) – defines main responsibilities and the intent of the management.
Business continuity objectives (clause 6.2) – defines measurable objectives that are to be achieved with business continuity.
Competencies of personnel (clause 7.2) – defines knowledge and skills needed.
Business continuity plans and procedures (clause 8.4) – includes plans and procedures for response, communication, recovery (including disaster recovery plans), restore and return activities.

Documented communication with interested parties (clause 8.4.3.1) – these could be emails, but also official communication from sources such as government agencies and others.
Records of important information about the disruption, actions taken and decisions made (clause 8.4.3.1) – normally these records are done through minutes or by filling out checklists of performed activities.

Data and results of monitoring and measurement (clause 9.1.1) – this is the evaluation on whether your BCMS met the objectives.
Internal audit program (clause 9.2)
Results of internal audit (clause 9.2) – normally, this is the Internal audit report.
Results of management review (clause 9.3) – usually, this is in the form of minutes or perhaps documented decisions.
Nature of nonconformities and actions are taken (clause 10.1) – this is a description of nonconformities and their cause.
Results of corrective actions (clause 10.1) – this is a description of what has been done to eliminate the cause of a nonconformity.

Benefits of ISO 22301:2019 standard

The ISO 22301:2019 standard can provide benefits for your business continuity planning, even if your organization chooses not to pursue certification or the review process that confirms your business continuity system meets all ISO 22301:2019 requirements.

As Andrew Nichols of the Michigan Manufacturing Technology Center suggests, if your organization already implements other ISO standards, such as ISO 9001 or ISO 27000, you can leverage some of the common requirement elements for your 22301 plans.

Benefits of ISO 22301:2019 – Business Continuity Management Systems

Consider these specific benefits of using ISO 22301:2019 business continuity planning:

Protect against and recover from disruptive incidents.
Identify and control current and future threats.
Improve your risk management planning efforts.
Prevent large-scale damage.
Become proactive in preventing problems and recovering from incidents, rather than reactive to damage and disruption.
Reduce downtime and increase recovery time.
Keep important activities running during disruption.
Deliver quality products consistently.
Provide dependable service.
Prove you’re a reputable supplier.
Prove your resilience to all stakeholders.